SOLVED

Need more details regarding "Compare Your Score" section

%3CLINGO-SUB%20id%3D%22lingo-sub-304718%22%20slang%3D%22en-US%22%3ENeed%20more%20details%20regarding%20%22Compare%20Your%20Score%22%20section%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304718%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20recently%20started%20analyzing%20secure%20score.%20I%20read%20in%20one%20of%20MS%20link%20that%20under%20%22Compare%20your%20score%22%20section%2C%20we%20can%20compare%20our%20score%20to%20the%20average%20score%20of%20all%20the%20O365%20tenants.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20kind%20of%20comparison%20does%20it%20talk%20about%20here%3F%20It%20shows%20the%20average%20score%20which%20would%20be%20same%20for%20all%20the%20tenants%20with%20same%20industry%20size%2Fseat%20size.%20It%20is%20showing%20the%20average%20of%20all%20under%20seat%20size%2Findustry%20type%20categories.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20should%20we%20interpret%20these%20graphical%20representation%20because%20we%20do%20not%20know%20the%20position%20of%20my%20tenant%20with%20respect%20to%20these%20averages.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20really%20appreciate%20your%20feedback%20on%20this!!%20Thanks%20in%20advance!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EShivani%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-306176%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20more%20details%20regarding%20%22Compare%20Your%20Score%22%20section%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-306176%22%20slang%3D%22en-US%22%3EThanks%20Shivani%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20think%20Microsoft%20intended%20the%20secure%20score%20compare%20to%20help%20spur%20organisations%20on%20to%20improve%20their%20score%2C%20however%20in%20the%20real%20world%20this%20is%20probably%20proving%20to%20be%20counterproductive.%20I%20wouldn%E2%80%99t%20be%20surprised%20if%20the%20compare%20is%20removed%20down%20the%20road.%3CBR%20%2F%3E%3CBR%20%2F%3EMy%20advice%20is%20to%20use%20secure%20score%20as%20part%20of%20your%20tool%20kit%20for%20security%20along%20with%20other%20things%20such%20as%20Cyber%20Essentials%20and%20ISO.%20Use%20the%20recommendations%20to%20apply%20and%20raise%20your%20score%20to%20as%20high%20as%20possible%20where%20it%20aligns%20to%20your%20needs%20and%20not%20be%20too%20restrictive%20to%20users.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20hope%20we%20have%20answered%20your%20initial%20question!%20If%20we%20have%2C%20please%20like%20the%20posts%20and%20mark%20on%20of%20them%20as%20the%20solution.%20Look%20forward%20to%20helping%20you%20again%20in%20the%20future!%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-306174%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20more%20details%20regarding%20%22Compare%20Your%20Score%22%20section%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-306174%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20Jethro%20and%20Christopher%20for%20sharing%20your%20feedback.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20this%20%22Compare%20your%20score%22%20will%20not%20help%20much.%20This%20is%20indeed%20confusing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20that%20we%20need%20to%20be%20more%20focus%20on%20the%20actions%20suggested%20as%20part%20of%20secure%20score%20and%20make%20sure%20other%20security%20features%20are%20being%20used.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-304765%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20more%20details%20regarding%20%22Compare%20Your%20Score%22%20section%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304765%22%20slang%3D%22en-US%22%3EHi%20Shivani%2C%3CBR%20%2F%3E%3CBR%20%2F%3E100%25%20Agree%20with%20Jethro%20here%20in%20terms%20of%20the%20score%20and%20what%20it%20represents.%20There%20is%20an%20element%20of%20gamification%20in%20the%20Secure%20Score%20which%20I%20often%20find%20makes%20organisations%20think%20that%20if%20they%20outscore%20the%20industry%20average%20by%2020-30%20points%20then%20it%20means%20they%20are%20ok.%20It%20reality%20it%20only%20hides%20the%20fact%20that%20many%20Office%20365%20tenants%20do%20not%20utilise%20the%20security%20controls%20or%20best%20practices%20within%20their%20environments%20and%20your%20organisation%20becomes%20only%20marginally%20less%20insecure%20than%20the%20others.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20Jethro%20said%2C%20a%20lot%20has%20to%20do%20with%20mapping%20your%20own%20security%20requirements%20and%20I%20would%20add%20this%20includes%20actively%20managing%20these%20on%20an%20ongoing%20basis%20not%20just%20lighting%20up%20things%20like%20MFA%20and%20thinking%20that%20will%20do.%20Part%20of%20that%20is%20using%20secure%20score%20over%20time.%20There%20is%20a%20great%20article%20here%20about%20managing%20security%20with%20secure%20score%20over%20time%20-%20the%20first%2030%20days%2C%20then%2090%2C%20then%20beyond%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsecurity-roadmap%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fsecurity-roadmap%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20Microsoft%20have%20just%20released%20a%20series%20on%20best%20practice%20here%20on%20the%20TC%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-Compliance%2FHow-to-help-maintain-security-compliance%2Fm-p%2F298467%23M1748%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Privacy-Compliance%2FHow-to-help-maintain-security-compliance%2Fm-p%2F298467%23M1748%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20should%20be%20used%20in%20conjunction%20with%20other%20tools%20and%20guides%20such%20as%20Intune%2C%20Cloud%20App%20Security%20and%20Advanced%20Threat%20Intelligence.%20For%20things%20outside%20Microsoft%2C%20if%20you%20are%20a%20UK%20based%20organisation%20then%20I%20would%20consider%20Cyber%20Essentials%20here%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.gov.uk%2Fgovernment%2Fpublications%2Fcyber-essentials-scheme-overview%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.gov.uk%2Fgovernment%2Fpublications%2Fcyber-essentials-scheme-overview%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20looking%20into%20ISO27001%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.iso.org%2Fisoiec-27001-information-security.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.iso.org%2Fisoiec-27001-information-security.html%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ESecurity%20improvement%20is%20also%20a%20lot%20about%20training%20as%20much%20as%20the%20tools%20so%20I%20would%20consider%20how%20to%20improve%20staff%20behaviours.%20If%20you%20do%20Cyber%20Essentials%20and%20ISO%20then%20there%20are%20trading%20elements.%20Having%20a%20few%20staff%20ITIL%20trained%20will%20help%20too.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-304743%22%20slang%3D%22en-US%22%3ERe%3A%20Need%20more%20details%20regarding%20%22Compare%20Your%20Score%22%20section%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-304743%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20shouldn't%20compare%20your%20score%20to%20these%20averages%20as%20they%20are%20misleading.%20They%20also%20contain%20trial%20tenants%20that%20are%20not%20used%20anymore.%20If%20you%20set%20up%20some%20as%20easy%20as%20MFA%20you%20will%20already%20outrank%20them%20in%20a%20major%20way.%20To%20add%20to%20that%20you%20need%20to%20define%20your%20security%20policies%20based%20on%20your%20organization's%20needs%2C%20to%20identify%20first%20the%20business%20logic%20for%20security%20and%20match%20them%20to%20the%20secure%20score%20policy.%20Use%20it%20as%20a%20guideline%2C%20not%20a%20scoring%20mechanism.%20Some%20security%20measures%20aren't%20even%20scored%20by%20secure%20score%20yet.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ejust%20my%20two%20cents%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello Team,

 

I have recently started analyzing secure score. I read in one of MS link that under "Compare your score" section, we can compare our score to the average score of all the O365 tenants.

 

What kind of comparison does it talk about here? It shows the average score which would be same for all the tenants with same industry size/seat size. It is showing the average of all under seat size/industry type categories. 

 

How should we interpret these graphical representation because we do not know the position of my tenant with respect to these averages.

 

I would really appreciate your feedback on this!! Thanks in advance!!

 

Thanks,

Shivani

4 Replies

Hi,

 

You shouldn't compare your score to these averages as they are misleading. They also contain trial tenants that are not used anymore. If you set up some as easy as MFA you will already outrank them in a major way. To add to that you need to define your security policies based on your organization's needs, to identify first the business logic for security and match them to the secure score policy. Use it as a guideline, not a scoring mechanism. Some security measures aren't even scored by secure score yet. 

 

just my two cents

best response confirmed by Shivani_ra (Occasional Contributor)
Solution
Hi Shivani,

100% Agree with Jethro here in terms of the score and what it represents. There is an element of gamification in the Secure Score which I often find makes organisations think that if they outscore the industry average by 20-30 points then it means they are ok. It reality it only hides the fact that many Office 365 tenants do not utilise the security controls or best practices within their environments and your organisation becomes only marginally less insecure than the others.

As Jethro said, a lot has to do with mapping your own security requirements and I would add this includes actively managing these on an ongoing basis not just lighting up things like MFA and thinking that will do. Part of that is using secure score over time. There is a great article here about managing security with secure score over time - the first 30 days, then 90, then beyond

https://docs.microsoft.com/en-us/office365/securitycompliance/security-roadmap

And Microsoft have just released a series on best practice here on the TC

https://techcommunity.microsoft.com/t5/Security-Privacy-Compliance/How-to-help-maintain-security-com...

This should be used in conjunction with other tools and guides such as Intune, Cloud App Security and Advanced Threat Intelligence. For things outside Microsoft, if you are a UK based organisation then I would consider Cyber Essentials here

https://www.gov.uk/government/publications/cyber-essentials-scheme-overview

And looking into ISO27001

https://www.iso.org/isoiec-27001-information-security.html

Security improvement is also a lot about training as much as the tools so I would consider how to improve staff behaviours. If you do Cyber Essentials and ISO then there are trading elements. Having a few staff ITIL trained will help too.

Hope that helps.

Best, Chris

Thank you Jethro and Christopher for sharing your feedback.

 

So, this "Compare your score" will not help much. This is indeed confusing.

 

I understand that we need to be more focus on the actions suggested as part of secure score and make sure other security features are being used.

Thanks Shivani,

I think Microsoft intended the secure score compare to help spur organisations on to improve their score, however in the real world this is probably proving to be counterproductive. I wouldn’t be surprised if the compare is removed down the road.

My advice is to use secure score as part of your tool kit for security along with other things such as Cyber Essentials and ISO. Use the recommendations to apply and raise your score to as high as possible where it aligns to your needs and not be too restrictive to users.

I hope we have answered your initial question! If we have, please like the posts and mark on of them as the solution. Look forward to helping you again in the future!

Best, Chris